From b84928706b81cccd89ecedf8f81b72210a75ba87 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 16 Jun 2022 11:57:58 -0700 Subject: [PATCH 1/3] s3: test: Add tests to show we still connect to a full_audit share with a bad success or fail VFS names. Add knownfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15098 Signed-off-by: Jeremy Allison Reviewed-by: Andrew Bartlett (cherry picked from commit fe78d3c014d1756fe628175baeaa08c58e3e2f02) --- selftest/knownfail.d/full_audit_badname | 2 ++ selftest/target/Samba3.pm | 8 ++++++ source3/script/tests/test_bad_auditnames.sh | 29 +++++++++++++++++++++ source3/selftest/tests.py | 6 +++++ 4 files changed, 45 insertions(+) create mode 100644 selftest/knownfail.d/full_audit_badname create mode 100755 source3/script/tests/test_bad_auditnames.sh diff --git a/selftest/knownfail.d/full_audit_badname b/selftest/knownfail.d/full_audit_badname new file mode 100644 index 00000000000..b353875fb4e --- /dev/null +++ b/selftest/knownfail.d/full_audit_badname @@ -0,0 +1,2 @@ +^samba3.blackbox.test_full_audit_success_badname.Cannot\ connect\ to\ share\ full_audit_success_bad_name\(fileserver\) +^samba3.blackbox.test_full_audit_fail_badname.Cannot\ connect\ to\ share\ full_audit_fail_bad_name\(fileserver\) diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index b260f26cbc0..df94e358a6e 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -3292,6 +3292,14 @@ sub provision($$) [acls_non_canonical] copy = tmp acl flag inherited canonicalization = no + +[full_audit_success_bad_name] + copy = tmp + full_audit:success = badname + +[full_audit_fail_bad_name] + copy = tmp + full_audit:failure = badname "; close(CONF); diff --git a/source3/script/tests/test_bad_auditnames.sh b/source3/script/tests/test_bad_auditnames.sh new file mode 100755 index 00000000000..69ddf1436f4 --- /dev/null +++ b/source3/script/tests/test_bad_auditnames.sh @@ -0,0 +1,29 @@ +#!/bin/sh + +# this tests a full audit share with bad VFS +# names will not allow connection. +# BUG: https://bugzilla.samba.org/show_bug.cgi?id=15098 + +if [ $# -lt 5 ]; then + cat </dev/null 2>&1 +} + +testit "Cannot connect to share $SHARE" can_connect || failed=$((failed + 1)) diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 40c2fb63f62..ca7bdde2509 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -665,6 +665,12 @@ for env in ["fileserver"]: plantestsuite("samba3.blackbox.fifo", env, [os.path.join(samba3srcdir, "script/tests/test_fifo.sh"), '$SERVER', '$DOMAIN', 'gooduser', '$PASSWORD', '$PREFIX', env, smbclient3]) + plantestsuite("samba3.blackbox.test_full_audit_success_badname", env, + [os.path.join(samba3srcdir, "script/tests/test_bad_auditnames.sh"), + '$SERVER', 'full_audit_success_bad_name', '$USERNAME', '$PASSWORD', smbclient3]) + plantestsuite("samba3.blackbox.test_full_audit_fail_badname", env, + [os.path.join(samba3srcdir, "script/tests/test_bad_auditnames.sh"), + '$SERVER', 'full_audit_fail_bad_name', '$USERNAME', '$PASSWORD', smbclient3]) for env in ["fileserver:local"]: plantestsuite("samba3.blackbox.net_usershare", env, [os.path.join(samba3srcdir, "script/tests/test_net_usershare.sh"), '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', smbclient3]) -- 2.34.1 From 2b0315d56a7b7b5015059bebd79682ba274d2024 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 16 Jun 2022 12:00:26 -0700 Subject: [PATCH 2/3] s3: VFS: full_audit: Use correct DBG_ print messages in init_bitmap(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15098 Signed-off-by: Jeremy Allison Reviewed-by: Andrew Bartlett (cherry picked from commit ec91a583708c57d0da28da7b70e6366153129c64) --- source3/modules/vfs_full_audit.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/source3/modules/vfs_full_audit.c b/source3/modules/vfs_full_audit.c index 5903849931e..002f1645c54 100644 --- a/source3/modules/vfs_full_audit.c +++ b/source3/modules/vfs_full_audit.c @@ -511,13 +511,13 @@ static struct bitmap *init_bitmap(TALLOC_CTX *mem_ctx, const char **ops) struct bitmap *bm; if (ops == NULL) { + DBG_ERR("init_bitmap, ops list is empty (logic error)\n"); return NULL; } bm = bitmap_talloc(mem_ctx, SMB_VFS_OP_LAST); if (bm == NULL) { - DEBUG(0, ("Could not alloc bitmap -- " - "defaulting to logging everything\n")); + DBG_ERR("Could not alloc bitmap\n"); return NULL; } @@ -559,8 +559,7 @@ static struct bitmap *init_bitmap(TALLOC_CTX *mem_ctx, const char **ops) } } if (i == SMB_VFS_OP_LAST) { - DEBUG(0, ("Could not find opname %s, logging all\n", - *ops)); + DBG_ERR("Could not find opname %s\n", *ops); TALLOC_FREE(bm); return NULL; } -- 2.34.1 From 3c6cdfd8b541f2511fe4d7852579c42657fb6b1b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 16 Jun 2022 12:05:19 -0700 Subject: [PATCH 3/3] s3: VFS: full_audit. Ensure the module doesn't load if an operation name is miss-spelled or otherwise unknown. Document this new behavior. Remove knownfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15098 Signed-off-by: Jeremy Allison Reviewed-by: Andrew Bartlett (cherry picked from commit 69bb8853f61212074a7095055fb3570660a1cc27) --- docs-xml/manpages/vfs_full_audit.8.xml | 5 +++++ selftest/knownfail.d/full_audit_badname | 2 -- source3/modules/vfs_full_audit.c | 10 ++++++++++ 3 files changed, 15 insertions(+), 2 deletions(-) delete mode 100644 selftest/knownfail.d/full_audit_badname diff --git a/docs-xml/manpages/vfs_full_audit.8.xml b/docs-xml/manpages/vfs_full_audit.8.xml index fc08845ac3c..dcd71fa9b64 100644 --- a/docs-xml/manpages/vfs_full_audit.8.xml +++ b/docs-xml/manpages/vfs_full_audit.8.xml @@ -156,6 +156,11 @@ the VFS operations and none of the VFS operations respectively. + If an unknown operation name is used (for example an operation name + is miss-spelled), the module will fail to load and clients will + be refused connections to a share using this module. + + vfs_full_audit records operations in fixed format consisting of fields separated by '|' characters. The format is: diff --git a/selftest/knownfail.d/full_audit_badname b/selftest/knownfail.d/full_audit_badname deleted file mode 100644 index b353875fb4e..00000000000 --- a/selftest/knownfail.d/full_audit_badname +++ /dev/null @@ -1,2 +0,0 @@ -^samba3.blackbox.test_full_audit_success_badname.Cannot\ connect\ to\ share\ full_audit_success_bad_name\(fileserver\) -^samba3.blackbox.test_full_audit_fail_badname.Cannot\ connect\ to\ share\ full_audit_fail_bad_name\(fileserver\) diff --git a/source3/modules/vfs_full_audit.c b/source3/modules/vfs_full_audit.c index 002f1645c54..8fa1ada9fcb 100644 --- a/source3/modules/vfs_full_audit.c +++ b/source3/modules/vfs_full_audit.c @@ -747,9 +747,19 @@ static int smb_full_audit_connect(vfs_handle_struct *handle, pd->success_ops = init_bitmap( pd, lp_parm_string_list(SNUM(handle->conn), "full_audit", "success", none)); + if (pd->success_ops == NULL) { + DBG_ERR("Invalid success operations list. Failing connect\n"); + SMB_VFS_NEXT_DISCONNECT(handle); + return -1; + } pd->failure_ops = init_bitmap( pd, lp_parm_string_list(SNUM(handle->conn), "full_audit", "failure", none)); + if (pd->failure_ops == NULL) { + DBG_ERR("Invalid failure operations list. Failing connect\n"); + SMB_VFS_NEXT_DISCONNECT(handle); + return -1; + } /* Store the private data. */ SMB_VFS_HANDLE_SET_DATA(handle, pd, NULL, -- 2.34.1